In-house Request Network checkout went fully end-to-end on dev today. A real 0.01 USDC payment flowed through wallet connect -> approve -> ERC20FeeProxy.transferFromWithReferenceAndFee -> RN webhook -> TransactionSafetyProvider -> Payment.status=completed -> page success state. Tx 0x494c77a29161b5100d8e0b1ac675f1822955d0bb3633ecdbfafb886f84f2f320. Docs: - New PRD: Wallet, Multichain, Confirmations, AML, Trezor (5 follow-ups, each sized for an independent contributor) - Updated PRD: Request Network In-House Checkout (phases 0..3 done, phase 4 partial, phases 5-6 not started) - Updated handoff: deployed versions, what is working end-to-end, follow-up tasks index Taskmaster: 5 new top-level tasks (#7..#11) covering ephemeral destination wallets, multichain proxy registry + USDC/USDT, runtime confirmation thresholds, optional seller-paid AML screening, and Trezor signing for admin actions. Tasks are scoped fine-grained so each is independent enough for kimi to pick up. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
36 lines
1.2 KiB
Markdown
36 lines
1.2 KiB
Markdown
---
|
|
taskmaster_id: "5.8"
|
|
status: "done"
|
|
priority: "high"
|
|
depends_on: ["2", "3", "5", "6"]
|
|
parent_id: "5"
|
|
source: "taskmaster"
|
|
generated_at: "2026-05-28T11:49:27.076Z"
|
|
---
|
|
|
|
# 5.8 - Add security, compliance, and abuse controls for Telegram
|
|
|
|
- [x] 5.8 - Add security, compliance, and abuse controls for Telegram #taskmaster #priority/high #status/done ⏫ 🆔 tm-5-8 ⛔ tm-2 ⛔ tm-3 ⛔ tm-5 ⛔ tm-6
|
|
|
|
## Metadata
|
|
|
|
| Field | Value |
|
|
| --- | --- |
|
|
| Taskmaster ID | 5.8 |
|
|
| Status | done |
|
|
| Priority | high |
|
|
| Dependencies | 2, 3, 5, 6 |
|
|
| Parent | 5 - Deliver Telegram-native app, bot, and wallet experience |
|
|
|
|
## Description
|
|
|
|
Threat-model the Telegram surface and add controls before launch.
|
|
|
|
## Details
|
|
|
|
Cover forged init data, callback replay, deep-link parameter tampering, phishing links, bot token leakage, spam, account takeover, wallet spoofing, fake payment proof, and support impersonation. Document secrets, bot webhook endpoints, Wallet Pay keys, TON Connect manifest, CORS, CSP, allowed origins, rate limits, and monitoring for update failures, abnormal callbacks, payment mismatches, blocked notifications, and suspicious wallet activity.
|
|
|
|
## Verification
|
|
|
|
See Telegram-native PRD acceptance criteria.
|